Setting a proxy connection on the server

When you install BigFix V9.5, you are asked if you want to set up communication with a proxy.

If you did not configure the connection to the proxy at installation time or if you want to modify the existing configuration, you can edit the proxy configuration settings after installation by running the following command:

On Windows systems:
%PROGRAM FILES%\BigFix Enterprise\BES Server\BESAdmin.exe /setproxy
[/proxy:<proxy_host>[:<proxy_port>] [/user:<proxy_username> /pass:<proxy_password>] 
[/delete]
[/exceptionlist:<proxy_exceptionlist>]
[/proxysecuretunnel:{false|true}]
[/proxyauthmethods:{basic|digest|negotiate|ntlm}]
[/proxydownstream:{false|true}]] |
[/delete]
On Linux systems:
/opt/BESServer/bin/BESAdmin.sh -setproxy [-proxy=<proxy_host>[:<proxy_port>]
[-user=<proxy_username> -pass=<proxy_password>] 
[-exceptionlist=<proxy_exceptionlist>]
[-proxysecuretunnel={false|true}]
[-proxyauthmethods={basic|digest|negotiate|ntlm}]
[-proxydownstream={false|true}]] |
[-delete] |
[-display]
where you can specify the following keys:
proxy
It sets the host name or IP address and, optionally, the port number of the proxy machine. By default the value of proxy_port is 80.
user
It sets the user name that is used to authenticate with the proxy, if the proxy requires authentication.
If you installed your BigFix server on a Windows system and your proxy requires Kerberos Authentication, use the format user@mydomain.com.
Note: The Kerberos Authentication is supported only on Windows systems. This authentication method is not supported if you installed your BigFix server on a Linux system.

If your proxy requires NTLM Authentication, specify the NTLM user.

If your proxy requires the realm name notation, specify the proxy_user as user@mydomain.com or mydomain\user.
Note: The Linux shell manages the back slash "\" as an escape character. Specify either mydomain\\user or "mydomain\user" to use the notation mydomain\user if you run the command in a Linux shell.
pass
It sets the password that is used to authenticate with the proxy, if the proxy requires authentication. The value that is assigned to the password is encrypted in the registry on Windows systems or obfuscated in the configuration file on Linux systems.
delete
If specified, it deletes all the settings defined in BigFix for communicating with the specified proxy.
display
If specified, it displays the proxy communication settings defined in BigFix. This argument applies only to Linux systems.
exceptionlist
If set, it is a comma-separated list of computers and domains that must be reached without passing through the proxy. In this syntax blank spaces have no influence. Each name in this list is matched as either a domain, which contains the hostname, or the hostname itself. For example, yourdomain.com would match yourdomain.com, yourdomain.com:80, and www.yourdomain.com, but not www.notyourdomain.com. You can assign the following sample values to <proxy_exceptionlist>:
localhost,127.0.0.1, yourdomain.com
localhost,127.0.0.1,yourdomain.com,8.168.117.65
"localhost,127.0.0.1, yourdomain.com, 8.168.117.65"

By default, if you do not specify the exceptionlist setting, BigFix V9.5 prevents diverting internal communications from being diverted towards the proxy. This is equivalent to setting exceptionlist:localhost,127.0.0.1. To maintain this behavior, ensure that you add localhost, 127.0.0.1 to the list of exceptions when specifying the exceptionlist setting.

proxysecuretunnel
If set, it defines whether or not the proxy is enforced to attempt tunneling. By default the proxy does not attempt tunneling.
proxyauthmethods
If set, it restricts the set of authentication methods that can be used. You can specify more than one value separated by a comma, for example:
proxyauthmethods:basic,ntlm
By default there is no restriction for the authentication method. The proxy chooses which authentication method must be used.
Note: If you specify to use the negotiate authentication method on a Linux server or relay, a different authentication method might be used.
Note:

If you want to enable FIPS mode, ensure that the proxy configuration uses:

  • An authentication method other than digest on Windows systems.
  • An authentication method other than digest, negotiate or ntlm on Linux systems.
proxydownstream
If set to true, this setting indicates that all HTTP communications in your BigFix environment also pass through the proxy. If you do not specify this setting, by default the value false is assumed.
Note: If you migrate an existing BigFix proxy configuration to V9.5 and the _Enterprise Server _ClientRegister _Proxy* keys are specified, by default proxydownstream is set to true.
On Windows servers the command BESAdmin.exe /setproxy opens the Proxy settings panel filled in the current proxy settings.
Displays the settings to configure the proxy connection
The same panel is displayed whenever you run the BESAdmin.exe command to set one or more specific proxy settings. Check that the values displayed are correct, modify them if necessary and then click OK to confirm the changes.
The proxy configuration settings are stored:
On Windows systems:
In the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\EnterpriseClient\Settings\Client\.
On Linux systems:
In the following sections of the besserver.config file:
  • [SOFTWARE\BigFix\EnterpriseClient\Settings\Client\_Enterprise Server_ClientRegister_ProxyServer]
  • [SOFTWARE\BigFix\EnterpriseClient\Settings\Client\_Enterprise Server_ClientRegister_ProxyPort]
  • [SOFTWARE\BigFix\EnterpriseClient\Settings\Client\_Enterprise Server_ClientRegister_ProxyUser]
  • [SOFTWARE\BigFix\EnterpriseClient\Settings\Client\_Enterprise Server_ClientRegister_ProxyPass]
Important: Whenever you run the BESAdmin command to define a proxy setting, ensure that you specify all not default setting previously defined otherwise they will be set to blank. This behavior applies to both Windows and Linux systems.
Note: Ensure that you use the Edit Settings dialog box on the BigFix Console to update any proxy values that you set through the Edit Settings dialog box.
Note: If a HTTP proxy exists between the server and a child node, ensure that you follow the instructions provided in Enabling client polling to enable downstream communications.
Note: The BES components that access the internet run, by default, as SYSTEM account on the Windows systems and as root on the Linux systems.

For additional configuration settings that you can use to configure your BigFix environment, see List of settings and detailed descriptions.